- Understand process/thread privileges
- Understand intercommunication and object duplication among processes
- Practice analyzing function call parameters and stack
- Operating Systems
- Assembly Language
- Operating System Security
In this tutorial, we show you another intriguing behavior of Max++: it removes the Max++Loader.exe from disk once it finishes its infection operations, such as modification of registry and infection of driver DLL files. The removal operation is accomplished using a series of interesting techniques: changing of process privileges, adding threads to another running process, hooking up timer events, and return oriented programming (more exactly return to libc attacks).
We will analyze the code from 0x3C1193 in this tutorial.
The key to analyzing such malicious activities is to examine the system calls placed by Max++. We have introduced the techniques and skills you need for such analysis in Tutorial 14.
2. Lab Configuration
(0) Start WinXP image in DEBUGGED mode. Now in your host system, start a windows command window and CD to "c:\Program Files\Debugging Tools for Windows (x86)" (where WinDBG is installed). Type "windbg -b -k com:pipe,port=\\.\pipe\com_12" (check the com port number in your VBox instance set up). When WinDbg initiates, types "g" (go) twice to let it continue.
(1) Now launch IMM in the WinXP instance, clear all breakpoints and hardware breakpoints in IMM (see View->Breakpoints and View->Hardware Breakpoints).
(2) Go to 0x4012DC and set a hardware breakpoint there. (why not software bp? Because that region will be self-extracted and overwritten and the software BP will be lost). Pay special attention that once you go to 0x4012DC, directly right click on the line to set hardware BP (currently it's gibberish code).
(3) PressF9 several times run to 0x4012DC. You will encounter several breakpoints before 0x4012DC. If you pay attention, they are actually caused by the int 2d tricks (explained in Tutorial 3 and 4, and 5). Simply ignore them and continue (using F9) until you hit 0x4012DC.
Figure 1 shows the code that should be able to see. As you can see, this is right before the call of RtlAddVectoredException, where hardware BP is set to break the LdrLoadDll call (see Tutorial 11 for details). At this point, the code at 0x3C24FB has not been extracted. If you go to 0x3C24FB at this moment, IMM will complain that this address is not accessible.
Figure 1: code at 0x4012DC |
Figure 2: code at 0x401407 |
(6) Now we will set a breakpoint at 0x3C1193. Goto 0x3C1193and set a SOFTWARE BREAKPOINT there. Press SHIFT+F9 to run to 0x3C1193. (You may see a warning that this is out range of the code segment, simply ignore the warning).
(Figure 3 shows the code that you should be able to see at 0x3C1193. The first instruction should be PUSH EBP, and then MOV EBP, ESP, and then SUB EBP, 384.).
Figure 3: Function 0x3C1193 |
We now briefly describe the functionality of 0x3C1193 and we leave most analysis details to you in Section 4 (challenges).
The first part of the code is shown in Figure 3. Max++ first calls a function getModuleHandleW of itself, and then it calls LdrFindEntryForAddress (its own module). Then there is a big loop from 0x3C11F1 to 0x3c1224, which follows the module list and examine the information of processes. This is done using zwQueryProcessInformation (there is an internal loop which adjusts the buffer size if the size is not enough). After several iterations, Max++ identifies a process which satisfies some criteria on parent process and children threads. In our case, the process identified is smss.exe. Then it opens a thread (think about which thread it is), and assign a bunch of privileges to the thread (See Figure 4).
Figure 4. Adding Privileges to Thread |
Figure 5. Duplicate File Object |
Figure 6. Create a New Thread in smss.exe Process |
4. Challenges
[Hint: for system functions started with "zw", the "nt" series documentation can be often found. For example, "zwDuplicateObject" has a corresponding "ntDuplicateObject"]
Challenge 1. Analyze the semantics of all function parameters and the return of getModuleHandleW call at 0x3C11A6 (see Figure 3)
Challenge 2. Analyze the semantics of all function parameters and the return of LdrFindEntryForAddress call at 0x3C11AD (see Figure 3)
Challenge 3. Analyze the semantics of all function parameters and the return of zwQuerySystemInformation call at 0x3C11F3 (see Figure 3)
Challenge 4 Summarize the function of the loop starting from 0x3C1209 to 0x3C123F which searches for a a process to inject a thread. There are some properties such a host process must satisfy. Read the code and describe these desired properties (on parent process and children threads).
Challenge 5 In Figure 4, Max++ is adding a collection of privileges to a thread? Which thread it is (which process does this thread belong to)? Try to figure it out and prove that your argument is correct.
Challenge 6 In Figure 4, Max++ is adding a collection of privileges to a thread? Analyze RtlAdjustPrivilege calls at 0x003C1297, 0x003C12A3, 0x003C12AF, 0x003C12BB, etc. List the privileges added.
Challenge 7 Analyze the function call DosPathNameToNtPathName at 0x003C12DA (in Figure 5).
Challenge 8 Analyze the function call zwOpenFile at 0x003C1331 (in Figure 5).
Challenge 9 Analyze the function call zwDuplicateObject at 0x003C1355 (in Figure 5). Where is the new object (duplicated object) stored?
Challenge 10 Analyze the function call zwDuplicateObject at 0x003C136e (in Figure 5). Which object is duplicated?
Challenge 11 Analyze the function call RtlCreateUserThread at 0x003C1390 (in Figure 6).
Challenge 12 Analyze the function call zwContextThread at 0x003C13B5 (in Figure 6).
Challenge 13 Analyze the function call zwWriteVirtualMemory at 0x003C145F (in Figure 6).
Thanks man. I am looking for this kind of step by step introductory on such a complex subject. nicely start reading from you first post. keep posting...
ReplyDeleteHey, nice site you have here! Keep up the excellent work!
ReplyDeleteFunction Point Estimation Training
QTP is flagship automation testing tool, which is used to perform functional and regression testing on a software application. Training on this automation will ensure lucrative career opportunity for aspiring professionals. Best QTP Training Institute In Chennai
ReplyDeleteI have read your blog and i got a very useful and knowledgeable information from your blog.its really a very nice article. I did Loadrunner Training in Chennai. This is really useful for me. Suppose if anyone interested to learn Manual Testing Training in Chennai reach FITA academy located at Chennai Velachery.
ReplyDeleteYour posts is really helpful for me.Thanks for your wonderful post. I am very happy to read your post.
ReplyDeleteSEO Training in chennai|SEO Training chennai
Nice article i was really impressed by seeing this article, it was very interesting and it is very useful for Learners..
ReplyDeleteCloud Computing Training in chennai | Cloud Computing Training chennai
It helps the software developers and programmers to validate software application performance and behavior before deployment.Nice article.
ReplyDeleteVMWare Training in chennai | VMWare Training chennai
Thanks for your information. QTP provide most precise and independent review about a software application. This automation testing tool is ideal to determine the performance and validity of a software application. QTP training
ReplyDeleteReally awesome blog. Thanks for sharing this informative blog. Currently I have completed Software Testing Training in Chennai at a reputed training institutes. If you are looking for best Software Testing Training Institutes in Chennai reach FITA located at Chennai, India.
ReplyDeleteI have been following your posts regularly. It is very informative that I share it with my students.
ReplyDeleteQTP Training Chennai
Thanks for your wonderful post. I am very happy to read your post.
ReplyDeleteThis is really informative. Thanks for sharing this article
ReplyDeleteHello admin, thank you for your informative post on hadoop training in Chennai. It helped a lot in training my students during our hadoop training Chennai sessions. We at Fita, provide big data training in Chennai for students who are interested in choosing a career in big data.
ReplyDeleteI have finally found a Worth able content to read. The way you have presented information here is quite impressive. I have bookmarked this page for future use. Thanks for sharing content like this once again. Keep sharing content like this.
ReplyDeleteSoftware testing training in chennai | Software testing course | Software testing training chennai
very nice and informative blog
ReplyDeletebig data projects chennai
mobile computing projects chennai
cloud computing projects chennai
secure computing projects chennai
PLC training in Cochin, Kerala
ReplyDeleteAutomation training in Cochin, Kerala
Embedded System training in Cochin, Kerala
VLSI training in Cochin, Kerala
PLC training institute in Cochin, Kerala
Embedded training in Cochin, Kerala
Best plc training in Cochin, Kerala
This comment has been removed by the author.
ReplyDelete